Google recently began the rollout of the February 2019 Android security update that addresses a total of 42 issues and fixes vulnerabilities of varying severity levels. But if you think this is just a regular security update, you might want to reconsider. One of the vulnerabilities fixed by Google could allow a hacker to seed malware by just sending a photo in PNG format. And as soon as users open the image, it triggers the exploit and allows bad actors to remotely execute arbitrary code and wreak havoc.
This is how Google describes it, saying in its February Android 2019 security patch notes, “The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.” But despite Google having identified and fixed the issue, there is little respite for the millions of Android smartphone users out there. Why? Well, the February 2019 Android security update has only been released for the Pixel smartphones, the Pixel C tablet, and the Essential Phone. Needless to say, the number of Pixel devices out there is seemingly nothing compared to the millions of Android smartphones from other brands. To further aggravate the issue, a majority of at-risk users have not been notified as to when their Android smartphone will receive the February 2019 Android security update and safeguard them.
So, what can be done in this case? The best solution is to not open an image, specifically a PNG file received via an untrusted email, SMS, or on a messaging platform. The focus here is on a PNG file, because the critical vulnerability can be exploited via a specially crafted PNG file to execute arbitrary code within the context of a privileged process. To simply put it, opening the infected PNG file will activate the exploit and could open the floodgates for downloading malware on the device.
The critical vulnerability has been spotted in three forms (CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988) and affects Android smartphones running Android 7.0 or a higher build going all the way up to Android Pie. Google claims that so far, no incidents of bad actors exploiting the critical security bug have been reported so far. Moreover, Google has already notified all Android partners about the security bug one month prior to publishing details of the vulnerabilities and has also released the code patches to the Android Open Source Project (AOSP) repository.
While Pixel users have received an update to patch the critical vulnerability, other smartphone makers are yet to release an update to address the issue on their offerings. Until that happens, we advise you to refrain from opening PNG files received from unknown people and download the security update as soon as it becomes available.